New laws and an emphasis on good ESG practices are leading to more scrutiny of an already-pressured global supply chain. How can GRC data ensure that your organization’s quality, ethical and regulatory standards are being met?
In response to the rising geopolitical tensions in the world, U.S. President Joseph Biden issued an Executive Order focused on securing America's supply chain in February 2021, and the Cybersecurity and Infrastructure Agency (CISA), issued a report in February 2022 that identifies critical risks that could disrupt supply chains. EO 14017 emphasizes that the U.S. requires diverse and secure supply chains to ensure its economic prosperity and national security in a world facing a pandemic, intensifying geopolitical competition and cyberattacks. The same can be said for companies.
This has become particularly true since Russia's invasion of Ukraine. Numerous countries have put sanctions on Russia and key Russian leaders, leaving many brands, companies, suppliers, vendors, and countries in a uniquely challenging supply chain situation. Likewise, a variety of industries are experiencing supply chain stress due to the availability of Ukraine-based companies. The world even got a flashback to last year's container ship traffic jam in the Suez Canal and the resulting global trade disruption when a sister ship of Evergreen, Ever Forward, ran aground in Maryland.
Supply chains are critical to businesses and countries but are also potential points of vulnerability. Extended supply chains that map through diverse geographical regions not only leave companies at greater risk but have also become the focus of regulators. The long-standing veil over outsourced and offshored supply chains is being peeled back through international actions and it has forced companies with non-compliant suppliers to change their approach.
As the demand to increase the visibility of each link of the supply chain evolves from a trend to a mandate, organizations are increasingly responsible for ensuring that they aren’t funding fundamentally unethical behavior.
This focus on due diligence regarding an organization’s supply chain coincides with the increasing emphasis on Environmental, Social and Governance (ESG) best practices. Companies that should already be aware of their own supply chain risks now need to identify how their partner organizations' ethical practices align with these guidelines. Ensuring that each stage of a supply chain meets new regulations and leaves companies with the least amount of risk can be a significant challenge, but it is something that can be managed through due diligence and data.
Supply chain struggles
The global focus on ensuring companies focus on ESG throughout their supply chain is especially complicated for those who have expanded operations into other countries. Before the recent focus on supply chain visibility, companies had been able to search for suppliers without the responsibility of ensuring these organizations were held to a high international standard.
This led many companies to extend their supply chain into China, where low costs and limited regulations created an environment of relatively cheap suppliers. China has become a massive base as a supplier for organizations across the globe and especially in the U.S., with nearly 20 percent of all imported goods to the U.S. originating from there. Unfortunately, China has had a problematic history with regard to transparency and human rights, making it a challenging location with the recent crackdown on supply chains.
The Covid-19 pandemic also revealed that business trends such as just-in-time manufacturing relied heavily on an always-operational supply chain. As regional shutdowns due to the pandemic stalled production by vendors and slowed the transportation of goods, cracks in the supply chain showed up as business continuity and operational risks to delivering finished goods in a timely manner across a variety of manufacturing-dependent industries.
Supply chains are additionally susceptible to cybersecurity risks. Supply chain attacks can exploit third-party supplier vulnerabilities and use these vendors as a jumping-off point for cybercriminals to move upstream and eventually gain access to a partnering company's sensitive information. Data and system integrations with partners, suppliers and third-party vendors increase exposure risks, thus a major driver in supply chain management and oversight is third-party vendor risk management.
Accompanying geopolitical challenges and supply chain management problems is this international pressure for companies to take more responsibility to ensure an ethical supply chain. This pressure has taken the form in the U.S. as an Executive Order regarding the country's own supply chain as well as the Uyghur Forced Labor Prevention Act. This specifically targets the Xinjiang Uyghur Autonomous Region within China and forbids the import of goods from the region. The law is a marker of things to come, and companies need to be aware of any potential labor problems within the regions their suppliers operate.
This movement isn't just limited to the U.S. either. The anticipated EU Mandatory Due Diligence Directive takes aim at supply chain transparency as well. This directive stresses that human rights violations and breaches of social and environmental standards can be the result of an undertaking’s own activities or of those under their control and along their value chain.
It, therefore, underlines that due diligence by organizations should encompass their entire supply chain and, if a problem is found at one end of the supply chain, then the other end is at least partially responsible.
How to leverage data to mitigate risk
The challenges of maintaining secure supply chains and the increased responsibility lawmakers have placed on companies can be significant hurdles, but they do not have to be insurmountable. When it comes to managing supply chains and vetting vendors and suppliers, leveraging data can be the answer. As the upcoming legislation for the European Union suggests, companies need to do their due diligence when assessing current or future vendors and suppliers. Data points that need to be investigated when weighing a potential partnership include:
- Location: At the top of everyone's mind in the Spring of 2022 is the current conflict in Eastern Europe. The sanctions imposed on Russia and the availability of suppliers in Ukraine are an important reminder that potential geopolitical risks need to be assessed when vetting vendors.
- Communication: While hard to quantify, communication can be equally important. Speaking with other partners and investigating some of their experiences can save a company from getting into a challenging situation with a vendor who provides little feedback.
- Capacity: Understand what the limits are of the supplier through an information request and measure that against requirements. Have they struggled to fill orders on time before? Have other partners received low-quality goods?
- Short- and long-term outlook: Will the supplier be able to meet a company's needs over the course of the next few years? It is important for organizations interested in partnering with a supplier to look over their recent success record and what the ownership history and business environment look like in the near future.
Aside from performing due diligence on future suppliers, companies should review their established supply chain and consider making risk-informed adjustments and implementing redundancy. From pandemic-caused operational slowdowns to Russian sanctions, recent experience demonstrates the need for in-depth review of potential points of vulnerability across vendors and suppliers.
- Tightening supply chains: Extending supply chains abroad may be too much of a risk for some companies. It is important for companies to take a serious look at the risk of compliance or legal issues that their current supply chain poses and consider limiting their supplier search.
- On-shoring: With the increasing regulatory appetite for companies to do due diligence when it comes to supply chains, reeling in these chains to suppliers within a national border may be the best approach now. Relying on cheap, overseas labor is no longer proving sustainable from economic, regulatory, availability, ethical or brand reputation points of view, so maintaining a supply chain within the same country as the original business keeps compliance straightforward.
- Regular risk reviews: Supply chains are under greater scrutiny, and it is critical for companies to be fully aware of their operational, vendor and supplier dependencies at all times. Regular reviews of your supply chain, constant monitoring of the global regulatory horizon and identifying new and potential risks are today's business imperatives.
An integrated GRC approach to managing risks that collects data from operational risks, third-party risk management, cybersecurity risk, and regulatory change management provides an advantageous approach to supply chain oversight. It can ensure that quality, ethical and regulatory, and ESG standards are being met by all organizations that contribute to your company's finished product or solution set.